Third-party service provider’s security incident compromised Washingtonians’ personal information

Feb 1, 2021

A security incident involving a third-party provider of hosted software services, which was used by the Office of the Washington State Auditor, might have exposed sensitive data belonging to Washingtonians.

This data includes personal information from about 1.6 million unemployment claims made in 2020, as well as other information from some state agencies and local governments.

“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens,” said State Auditor Pat McCarthy. “This is completely unacceptable. We are frustrated and committed to doing everything we can to mitigate the harm caused by this crime.

“I want to be clear: This was an attack on a third-party service provider. The Employment Security Department did nothing to cause this, and is not responsible in any way for this incident,” McCarthy said.

SAO has notified law enforcement and the Attorney General's Office of the incident. SAO is also evaluating other tools and protocols for sharing data files in the future.

The Accellion security incident

The State Auditor's Office (SAO) uses the provider, Accellion, for services to transmit files. In January, Accellion issued a general announcement that it experienced a security incident in December. SAO subsequently learned that the incident allowed unauthorized access to records stored temporarily in Accellion's system during the file transfer process.

Based on investigations to date, the security incident happened on Dec. 25, when unauthorized access to numerous files held on the service provider's system occurred. SAO's use of this system ended on Dec. 31 for reasons unrelated to the incident. SAO first learned of the incident on Jan. 12, and immediately took action to determine what files might have been accessed by outside actors.

Here is some of the data we believe was affected:

  • Personal information of people who filed for unemployment claims from Jan. 1 to Dec. 10, 2020. In addition to members of the general public, this group includes many state employees, as well as people whose identity was used to file for claims fraudulently in early 2020. SAO was reviewing all claims data as part of an audit of that fraud incident. The data involves about 1.6 million claims and included the person's name, social security number and/or driver's license or state identification number, bank information, and place of employment.
  • Personal information of a smaller number of people, including data held by the Department of Children, Youth and Families.
  • Non-personal financial and other data from local governments and state agencies.

What SAO is doing

SAO is working closely with state cybersecurity officials, law enforcement, the Employment Security Department, the Department of Children, Youth and Families, and legal counsel. Local governments and other state agencies with data believed to be at risk have been notified. SAO is continuing to investigate the incident and identify any other data that might have been accessed. SAO will continue to follow state law and notify the individuals whose information could be vulnerable.

“We at the State Auditor's Office understand the importance of cybersecurity. Accountability and transparency are our core values,” McCarthy said. “We will continue to provide as much information as we can, as we move forward.”

What to expect if you are affected

At SAO, we are working swiftly to mitigate the harm caused by this crime. This includes help for people whose personal information is at risk. Those people will be notified as soon as possible. In the meantime, SAO has set up a webpage dedicated to providing the latest information on this incident. Please go to sao.wa.gov/breach2021.